Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[RFC] Risk Score Extensions - Stage 2 #2276

Open
wants to merge 12 commits into
base: main
Choose a base branch
from

Conversation

rylnd
Copy link
Contributor

@rylnd rylnd commented Sep 19, 2023

  • Adds Source Data example
  • Adds Scope of Impact section
  • Updates Concerns section
  • Adds asset criticality fields
  • Updates category scores to be normalized
  • Swaps definitions of Categories 2 and 4 (so that 2 is released in 8.13)

* Adds Source Data example
* Adds Scope of Impact section
* Updates Concerns section
@rylnd rylnd requested a review from a team as a code owner September 19, 2023 02:38
rfcs/text/0042-risk-score-extensions.md Show resolved Hide resolved
rfcs/text/0042-risk-score-extensions.md Outdated Show resolved Hide resolved
The following is an example alert from Kibana's detection engine. This alert would contribute to a user risk score for `Arturo_Haley`.

```json
{
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not seeing the fields from https://github.com/elastic/ecs/blob/main/rfcs/text/0042/risk.yml included in the example alert included. Are those fields still relevant?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is probably my misunderstanding; I didn't quite understand what "source document" meant in this context, so this is an alert document from which a risk score document would be derived. Should this instead be a risk score document?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The idea is to capture one or more real-world examples of how these fields are used, ideally like you'd see in the _source field of a ES document.

Should this instead be a risk score document?

I'm not familiar with what's in a risk score document. If the risk score doc provides examples using the risk.category_*_score and risk.category_*_count fields as proposed, yes, I think that's helpful.

rylnd and others added 4 commits September 28, 2023 16:41
Co-authored-by: Eric Beahan <ebeahan@gmail.com>
I misunderstood the "source data" section; a risk score document is what
actually shows the proposed fields being used.
@rylnd
Copy link
Contributor Author

rylnd commented Nov 29, 2023

@ebeahan I updated the example doc here (6fc0186); can you take another pass when you have some time?

This represents the total number of alerts that were processed to create
this risk score; having a larger number is both more realistic, and also
highlights the fact that the number of inputs will be very small
compared to this number.
We've added this functionality within the product, we should discuss and
add these fields to ECS as well.
This was previously not clear from the examples/descriptions: category
scores will be normalized to the 0-100 range, and only the
`calculated_score` represents the "raw" score of the entity.
* category scores are within 0-100
* category scores sum to the calculated_score_norm
* category 5 is present since criticality is present
@@ -97,7 +97,7 @@
type: float
example: 75.0
description: >
The contribution of Category 5 to the overall risk score (`calculated_score`).
The contribution of Category 5 to the overall normalized risk score (`calculated_score_norm`).
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ebeahan @SourinPaul this was the main change I made to convey that these category scores are themselves normalized. I originally had included the phrase "normalized contribution" to be more explicit, but that seemed redundant since the contribution to a normalized score only really makes sense if they can be compared (/are normalized / exist in the same value range, etc). Let me know if you opinions/suggestions.

@rylnd
Copy link
Contributor Author

rylnd commented Dec 8, 2023

@ebeahan I just pushed some changes here, summarized as:

  • Call out that category score fields are also normalized
  • Add asset criticality fields opted to leave these out of the RFC

I think that's appropriate here, but let me know if I'm mistaken and I can amend.

We decided to number our risk categories based on the order in which
they are introduced in kibana. Since Asset Criticality is being released
next, and AC corresponds to the Entity Contexts category, it's now
Category 2.
This reverts commit 323ed90.

 Conflicts:
	rfcs/text/0042-risk-score-extensions.md
	rfcs/text/0042/risk.yml
Copy link

github-actions bot commented Apr 2, 2024

This PR is stale because it has been open for 60 days with no activity.

@github-actions github-actions bot added the stale Stale issues and pull requests label Apr 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
stale Stale issues and pull requests
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants